Apple fixes 'AppBleed' privacy leak with iOS11

Apple's recently released iOS 11 mobile operating system update plugs a vulnerability that made it possible to retrieve information on apps installed on user devices, creating a privacy threat.

Software developer Pierre Blazquez told iTnews that he reversed Apple's MobileCoreServices development framework for iOS and tried "a good-looking method in a dumb app".

In doing so, he discovered that it was possible to use the Launch Services application programming interface (API) in iOS 10.x to list which apps users have on their devices.

Blazquez also found that he could determine where in the device file system the apps were installed; if the user had any extensions such as a virtual private network or widgets; and other information.

The Launch Services API is private, meaning it should be restricted to Apple only, and be out of bounds for third-party developers.

Furthermore, apps on iOS are supposed to be isolated from one another, or sandboxed, and not able to access each other's information. 

Blazquez reported the issue to Apple in February this year, and a fix for the issue has been applied to iOS 11.

He termed the vulnerability "AppBleed" and published a proof of concept on Github.

By using dynamic linking with code obfuscation to get past Apple's App Store security vetting, it's possible to create a malicious app with remotely activated functionality to retrieve data from user devices, Blazquez noted.

The vulnerability appears to have been exploited by developers to glean information on what users have installed on their devices.

"We observed quite a few App Store apps abusing this private API, mostly Chinese [ones]," founder of mobile app security analyser Verify.ly, Will Strafach, said.

Apple first attempted to prohibit apps from snooping on each other in iOS 9, as the issue rose to the fore, Strafach said.

"It can be a mild privacy concern as it enables any App Store app to silently see what other apps you have installed, along with metadata such as code signers.

Internal enterprise apps would stand out, something of particular interest to malicious folks," Strafach told iTnews.